The digital transformation of operational technology (OT) for monitoring and controlling physical processes has introduced new blind spots and magnified others, making industrial control systems (ICS) susceptible to nation-state attacks.
We’ve already seen terrorist attacks that prioritize breaching a power station over targeting a densely populated area with military weaponry. Consider the power grid attack in December, 2015 that kept more than 230,000 people in the dark in western Ukraine for upwards of six hours. The country blamed Russia for the attack. Twelve months later, the power system was targeted once again, this time affecting a large part of capital city Kiev. A power distributor in Puerto Rico suffered a denial-of-service cyberattack this June, causing blackouts for hundreds of thousands of residents, before a fire ravaged the substation.
It isn’t far-fetched to think that a nation-state attack could aim to cause a weeks-long blackout in a large city like New York. In fact,, experts think that something in that realm is likely to occur.
A Ponemon Institute report sponsored by Siemens found that 56% of OT security professionals surveyed reported at least one attack involving a loss of private information or an outage in their OT environment in the past 12 months.
How have these types of attacks become so popular? And what needs to be done to foster a more secure OT environment?
The Fourth Industrial Revolution
Utilities are modernizing, looking for gains in efficiency and productivity. Achieving those goals means digitizing and automating many processes that were previously done in-house and manually. That transition is occurring so rapidly that security is an afterthought.
The quick digital overhaul of industrial processes, widely referred to as the Fourth Industrial Revolution is bringing more systems and processes online. This inherently creates more potential entry points for threat actors, and with so many industries doing this at once, there’s greater opportunity for a more consequential attack.
In previous decades, the data centers and mainframes that run ICS components were “air gapped,” meaning that the IT systems were on a local network, but not connected to the internet. Many facilities mistakenly thought that made their systems safe from attack, but they were still vulnerable to on-premises attacks like a “bash bunny” attack that could compromise a system with a virus through a USB device.
This was the case in Iran when the Bushehr nuclear power plant was attacked using the Stuxnet worm. Introduced to the network via a flash drive, Stuxnet then spread to infect other assets on the network, such as the centrifuges used to enrich uranium gas.
As more utilities and OT facilities race to get their systems online, they haven’t allocated proper resources for security as one of the steps in the process. The more pieces of legacy equipment that are connected, and internet of things (IoT) devices added, the greater the attack surface for potential threat actors.
Threat Actors Are Evolving
Magnifying the issue of lax security are the increasingly creative and sophisticated ways in which threat actors exploit organizations. In fact, they’re not always the ones infiltrating the network.
According to the Ponemon Institute study, insider threats represent the majority of OT attacks. One of the most notable was way back in 1999 in what was then Australia’s Shire of Maroochy. A disgruntled worker who was managing the sewage pipes resigned, and shortly thereafter exploited the system through a pirated copy of the control system software.
Insider threats aren’t always malicious employees; negligent users often fall victim to phishing attacks, use weak passwords, and click links that give hackers access. Another common vector is a third party or contractor that opens a door to the network and leads to exploitation. In the Kaseya supply chain attack, ransomware gang REvil gained access to hundreds of companies through a software update. Third parties generally aren’t secure, and companies shouldn’t assume that they are.
Gartner has been bullish on OT security and has sounded the alarm that industrial organizations are struggling to define appropriate control frameworks. Gartner also says that by 2025, attackers “will have weaponized OT environments to successfully harm or kill humans.”
Too many companies are so deeply rooted in their processes over the last several decades that they don’t see these hacks, breaches, and attacks from headlines as threats to themselves. They don’t want to fix what, in their minds, isn’t broken. In fact, they don’t even see the potential for it to be broken until it breaks.
A New Approach to Securing OT
Companies need proper visibility into their networks and a comprehensive understanding all the way down to the individual asset level, including how those resources and users connect with each other and the networks as a whole. Often, those that finally dig into the details of their networks will find ghost assets they were unaware of. Those are security issues that you need to catch before they’re exploited.
The first step companies can take to better protect themselves is simply to educate employees on proper security hygiene with comprehensive security training. Too often the companies that shine the light on security do so haphazardly, with a quick slide deck and no follow-up with employees as to the importance of what they just learned.
The top priority is always going to be the effectiveness and functionality of OT machines, but if they’re under attack, what good are they? Educating employees on what to look for and just how common attacks have become could go a long way.
An observant employee averted disaster in March 2021, when the water system in Oldsmar, Florida was hacked and the level of sodium hydroxide increased by a threat actor to a dangerous level. Luckily, an engineer was on top of the situation, noticed the change, and quickly recognized that it was an attack and not merely a malfunction.
In October, stations all over Iran were forced to close. The country said that a cyberattack was to blame, and targeted government-issued electronic cards that subsidize fuel prices for Iranians.
To protect against attacks like these, companies need full visibility into their networks, allowing them to see all assets that are connected and vulnerable. But that’s only the first step. There are comprehensive OT security tools available that provide alerts on ICS machinery not just for security actions, but also productivity red flags. Proper security controls will offer visibility and response capabilities for the OT network without affecting day-to-day operations or making substantial changes to the network.
Passive technologies can monitor activity without affecting sensitive OT networks in any way, unlike disruptive, “in-line” platforms. The right passive platform will be able to cater to high throughputs and ensure minimal rates of false positives.
Utilizing new tools may be daunting for career OT executives who are reluctant to change proven processes, but it’s better to be prepared than live in fear of a potential attack that causes widespread harm to both the company and its consumers.
Elad Ben-Meir is chief executive officer of SCADAfence.
Timely, incisive articles delivered directly to your inbox.